Safety net

Posted on 3 Jul 2002 at 16:24

1 of 5

By default, most Linux distributions n including SuSE and RedHat n enable the Apache web server as a standalone server. You can disable this server by deleting the 'S'-prefix links that point to the rc script /etc/init.d/apache, or by deleting or renaming the rc script. By renumbering the script or creating new links you can control when and how it is started up. It's important to identify what run level your system boots into by default. There's a line in /etc/inittab that begins 'initdefault:' and specifies this run level and then examine the services that are started or stopped in that level.
Security measures
Every Linux distribution has security holes. A typical heavyweight distribution may have 20 million lines of code n and the odds are it contains unknown or unquantifiable bugs that some cracker can exploit to gain control of your system.
If you run a publicly connected machine, you need to take a couple of routine measures. First, your distributor almost certainly runs a website with software updates and security patches. Keep an eye on this or use the distribution's automatic update feature to install cryptographically signed security patches from the distributor. Linux distributors aren't always on the ball in spotting new problems and producing patches, so your early warning radar is essential. If a problem is identified, you need to disable the service at once and worry about installing a patch later.
Watch out for new security announcements. Subscribe to the BugTraq mailing list, which is used for announcements of new security holes. There's a corresponding MS-BugTraq for Microsoft-related incidents but the original BugTraq list, and the associated Linux-SecNews list, is where Unix security holes surface first. Forget the Computer Emergency Response Taskforce (CERT) n it always seems to be the last to know anything. Details of the BugTraq mailing list are at www.securityfocus.com. Read the FAQ about the list before you subscribe at www.securityfocus.com/frames/?content=/about/feedback/subscribe.html.
If you're running RedHat, check RedHat support's security alert page at www.redhat.com/support/alerts and install the upgrades and updates from www.redhat.com/apps/support/updates.html. Alternatively, use the RedHat network system to install patches for your system automatically. Details are at https://rhn.redhat.com.
Yast aside
If you're using SuSE Linux, you can automatically update your system online using the YAST2 system administration tool. While running X, type 'yast2' and enter the root password when prompted. When the Control Center runs, look under 'Software' for 'Online Update'. This is best done over a broadband connection such as a cable modem or ADSL line if you select the 'automatic' option. If you use a modem for dialup access to the internet, you should manually pick and choose the updates to install and focus on security patches. Otherwise, pulling in the whole lot will take forever. You can read about SuSE's security announcements at www.suse.com/us/support/security/index.html.
Debian Linux users will of course be sniggering up their sleeves by this point. The 'get advanced package tool' (apt-get) command can be configured to grab packages over the network via a variety of protocols and from a number of servers. This automatically keeps all package versions in sync. However, as Debian tends to be used by experts, this advice is redundant.
In addition to these tips, almost all major distributions have scripts available for 'hardening' them. Bastille Linux is a system that hardens RedHat and Mandrake distributions, found at www.bastille-linux.org. SuSE also has a hardening script, accessed via the YAST2 control centre. You can't rely on hardening scripts to do everything for you, though. They work only against those attacks the authors knew about and new attacks may get around them.